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Algorithm Implementation Requirements and Usage Guidance for DNSSEC 
Abstract 


The DNSSEC protocol makes use of various cryptographic algorithms in 
order to provide authentication of DNS data and proof of 
nonexistence. To ensure interoperability between DNS resolvers and 
DNS authoritative servers, it is necessary to specify a set of 
algorithm implementation requirements and usage guidelines to ensure 
that there is at least one algorithm that all implementations 


support. This document defines the current algorithm implementation 
requirements and usage guidance for DNSSEC. This document obsoletes 
RFC 6944. 


Status of This Memo 
This is an Internet Standards Track document. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Further information on 


Internet Standards is available in Section 2 of RFC 7841. 


Information about the current status of this document, any errata, 
and how to provide feedback on it may be obtained at 
https://www.rfc-editor.org/info/rfc8624. 
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Copyright Notice 


Copyright (c) 2019 IETF Trust and the persons identified as the 
document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust’s Legal 
Provisions Relating to IETF Documents 
(https://trustee.ietf.org/license-info) in effect on the date of 
publication of this document. Please review these documents 
carefully, as they describe your rights and restrictions with respect 
to this document. Code Components extracted from this document must 
include Simplified BSD License text as described in Section 4.e of 
the Trust Legal Provisions and are provided without warranty as 
described in the Simplified BSD License. 


Table of Contents 


w 


die, WNELOOUGEOMs Lr, po ced Re eas Ey Bie ee RE. i at Ss a Bie SO a aA ee sal & 
1.1. Updating Algorithm Implementation Requirements and Usage 
Guidance: is soa oe de ie no he be a, Oo Ba 

1.2. Updating Algorithm Requirement Levels 
1.3. Document Audience 

Conventions Used in This Document 
3. Algorithm Selection 
.1. DNSKEY Algorithms 
-2. DNSKEY Algorithm Recommendation 
.3. DS and CDS Algorithms 
.4. DS and CDS Algorithm Recommendation 
Security Considerations 
Operational Considerations 
IANA Considerations 
References Scat in s 

`, 1. Normative References 

7.2. Informative References 
Acknowledgements 
Authors’ Addresses 


N 


WWW W 


eooo ATAU A BW W 


SQ ON 


PPR 
Erow 


Wouters & Sury Standards Track [Page 2] 


RFC 8624 DNSSEC Cryptographic Algorithms June 2019 


1. Introduction 


The DNSSEC signing algorithms are defined by various RFCs, including 
[RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], and [RFC8080]. 
DNSSEC is used to provide authentication of data. To ensure 
interoperability, a set of "mandatory-to-implement" DNSKEY algorithms 
are defined. This document obsoletes [RFC6944]. 


1.1. Updating Algorithm Implementation Requirements and Usage Guidance 


The field of cryptography evolves continuously. New, stronger 
algorithms appear, and existing algorithms are found to be less 
secure than originally thought. Attacks previously thought to be 
computationally infeasible become more accessible as the available 
computational resources increase. Therefore, algorithm 
implementation requirements and usage guidance need to be updated 
from time to time to reflect the new reality. The choices for 
algorithms must be conservative to minimize the risk of algorithm 
compromise. 


1.2. Updating Algorithm Requirement Levels 


The mandatory-to-implement algorithm of tomorrow should already be 
available in most implementations of DNSSEC by the time it is made 
mandatory. This document attempts to identify and introduce those 
algorithms for future mandatory-to-implement status. There is no 
guarantee that algorithms in use today will become mandatory in the 
future. Published algorithms are continuously subjected to 
cryptographic attack and may become too weak or even be completely 
broken before this document is updated. 


This document only provides recommendations with respect to 
mandatory-to-implement algorithms or algorithms so weak that they 
cannot be recommended. Any algorithm listed in the [DNSKEY-IANA] and 
[DS-IANA] registries that are not mentioned in this document MAY be 
implemented. For clarification and consistency, an algorithm will be 
specified as MAY in this document only when it has been downgraded 
from a MUST or a RECOMMENDED to a MAY. 


Although this document’s primary purpose is to update algorithm 
recommendations to keep DNSSEC authentication secure over time, it 
also aims to do so in such a way that DNSSEC implementations remain 
interoperable. DNSSEC interoperability is addressed by an 
incremental introduction or deprecation of algorithms. 


[RFC2119] considers the term SHOULD equivalent to RECOMMENDED, and 
SHOULD NOT equivalent to NOT RECOMMENDED. The authors of this 
document have chosen to use the terms RECOMMENDED and NOT 
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RECOMMENDED, as this more clearly expresses the intent to 
implementers. 


It is expected that deprecation of an algorithm will be performed 
gradually in a series of updates to this document. This provides 
time for various implementations to update their implemented 
algorithms while remaining interoperable. Unless there are strong 
security reasons, an algorithm is expected to be downgraded from MUST 
to NOT RECOMMENDED or MAY, instead of to MUST NOT. Similarly, an 
algorithm that has not been mentioned as mandatory-to-implement is 
expected to be introduced with a RECOMMENDED instead of a MUST. 


Since the effect of using an unknown DNSKEY algorithm is that the 
zone is treated as insecure, it is recommended that algorithms 
downgraded to NOT RECOMMENDED or lower not be used by authoritative 
nameservers and DNSSEC signers to create new DNSKEYs. This will 
allow for deprecated algorithms to become less and less common over 
time. Once an algorithm has reached a sufficiently low level of 
deployment, it can be marked as MUST NOT so that recursive resolvers 
can remove support for validating it. 


Recursive nameservers are encouraged to retain support for all 
algorithms not marked as MUST NOT. 


1.3. Document Audience 


The recommendations of this document mostly target DNSSEC 
implementers, as implementations need to meet both high security 
expectations as well as high interoperability between various vendors 
and with different versions. Interoperability requires a smooth 
transition to more secure algorithms. This perspective may differ 
from that of a user who wishes to deploy and configure DNSSEC with 
only the safest algorithm. On the other hand, the comments and 
recommendations in this document are also expected to be useful for 
such users. 


2. Conventions Used in This Document 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
"SHOULD", “SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED", "MAY", and 


"OPTIONAL" in this document are to be interpreted as described in 
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 
capitals, as shown here. 
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Algorithm Selection 
.1. DNSKEY Algorithms 


The following table lists the implementation recommendations for 


DNSKEY algorithms [DNSKEY-IANA 
4+-------- 4+-------------------- 4+----------------- 4+------------------- + 

Number Mnemonics DNSSEC Signing DNSSEC Validation 
4+-------- 4+-------------------- 4+----------------- 4+------------------- + 

1 RSAMD5 MUST NOT MUST NOT 

3 DSA MUST NOT MUST NOT 

5 RSASHA1 NOT RECOMMENDED MUST 

6 DSA-NSEC3-SHA1 MUST NOT MUST NOT 

7 RSASHA1-NSEC3-SHA1 NOT RECOMMENDED MUST 

8 RSASHA256 MUST MUST 

10 RSASHA512 NOT RECOMMENDED MUST 

12 ECC-GOST MUST NOT MAY 

13 ECDSAP256SHA256 MUST MUST 

14 ECDSAP384SHA384 MAY RECOMMENDED 

15 ED25519 RECOMMENDED RECOMMENDED 

16 ED448 MAY RECOMMENDED 
+-------- 4+-------------------- 4+----------------- 4+------------------- + 


RSAMD5 is not widely deployed, and there is an industry-wide trend to 
deprecate MD5 usage. 


RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although the 
zones deploying it are recommended to switch to ECDSAP256SHA256 as 
there is an industry-wide trend to move to elliptic curve 
cryptography. RSASHA1 does not support NSEC3. RSASHA1-NSEC3-SHA1 
can be used with or without NSEC3. 


DSA and DSA-NSEC3-SHA1 are not widely deployed and are vulnerable to 
private key compromise when generating signatures using a weak or 
compromised random number generator. 


RSASHA256 is widely used and considered strong. It has been the 
default algorithm for a number of years and is now slowly being 
replaced with ECDSAP256SHA256 due to its shorter key and signature 
size, resulting in smaller DNS packets. 


RSASHA512 is NOT RECOMMENDED for DNSSEC signing because it has not 
seen wide deployment, but there are some deployments; hence, DNSSEC 
validation MUST implement RSASHA512 to ensure interoperability. 
There is no significant difference in cryptographic strength between 
RSASHA512 and RSASHA256; therefore, use of RSASHA512 is discouraged 
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as it will only make deprecation of older algorithms harder. People 
who wish to use a cryptographically stronger algorithm should switch 
to elliptic curve cryptography algorithms. 


ECC-GOST (GOST R 34.10-2001) has been superseded by GOST R 34.10-2012 
in [RFC7091]. GOST R 34.10-2012 hasn’t been standardized for use in 
DNSSEC. 


ECDSAP256SHA256 provides more cryptographic strength with a shorter 
signature length than either RSASHA256 or RSASHA512. ECDSAP256SHA256 
has been widely deployed; therefore, it is now at MUST level for both 
validation and signing. It is RECOMMENDED to use the deterministic 
digital signature generation procedure of the Elliptic Curve Digital 
Signature Algorithm (ECDSA), specified in [RFC6979], when 
implementing ECDSAP256SHA256 (and ECDSAP384SHA384) . 


ECDSAP384SHA384 shares the same properties as ECDSAP256SHA256 but 
offers a modest security advantage over ECDSAP256SHA256 (192 bits of 
strength versus 128 bits). For most DNSSEC applications, 
ECDSAP256SHA256 should be satisfactory and robust for the foreseeable 
future and is therefore recommended for signing. While it is 
unlikely for a DNSSEC use case requiring 192-bit security strength to 
arise, ECDSA384SHA384 is provided for such applications, and it MAY 
be used for signing in these cases. 


ED25519 and ED448 use the Edwards-curve Digital Security Algorithm 
(EGDSA). There are thr main advantages of EdDSA: it does not 
require the use of a unique random number for each signature, there 
are no padding or truncation issues as with ECDSA, and it is more 
resilient to side-channel attacks. Furthermore, EdDSA cryptography 
is less prone to implementation errors ([RFC8032], [RFC8080]). It is 
expected that ED25519 will become the future RECOMMENDED default 
algorithm once there’s enough support for this algorithm in the 
deployed DNSSEC validators. 


3.2. DNSKEY Algorithm Recommendation 


Due to the industry-wide trend towards elliptic curve cryptography, 
ECDSAP256SHA256 is the RECOMMENDED DNSKEY algorithm for use by new 
DNSSEC deployments, and users of RSA-based algorithms SHOULD upgrade 
to ECDSAP256SHA256. 
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3.3. DS and CDS Algorithms 


The following table lists the recommendations for Delegation Signer 
Digest Algorithms [DS-IANA]. These recommendations also apply to the 
Child Delegation Signer (CDS) RRTYPE as specified in [RFC7344]. 


+-------- 4+----------------- 4+------------------- 4+------------------- + 
Number Mnemonics DNSSEC Delegation DNSSEC Validation 
+-------- 4+----------------- 4+------------------- 4+------------------- + 

0 NULL (CDS only) MUST NOT [*] MUST NOT [*] 

1 SHA-1 MUST NOT MUST 

2 SHA-256 MUST MUST 

3 GOST R 34.11-94 MUST NOT MAY 

4 SHA-384 MAY RECOMMENDED 
+-------- 4+----------------- 4+------------------- 4+------------------- + 

*] - This is a special type of CDS record signaling removal of DS at 


the parent in [RFC8078]. 
NULL is a special case; see [RFC8078]. 


SHA-1 is still widely used for Delegation Signer (DS) records, so 
validators MUST implement validation, but it MUST NOT be used to 
generate new DS and CDS records (see "Operational Considerations" for 
caveats when upgrading from the SHA-1 to SHA-256 DS algorithm.) 


SHA-256 is widely used and considered strong. 


GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in 
[RFC6986]. GOST R 34.11-2012 has not been standardized for use in 
DNSSEC. 


SHA-384 shares the same properties as SHA-256 but offers a modest 
security advantage over SHA-256 (384 bits of strength versus 256 
bits). For most applications of DNSSEC, SHA-256 should be 
satisfactory and robust for the foreseeable future and is therefore 
recommended for DS and CDS records. While it is unlikely fora 
DNSSEC use case requiring 384-bit security strength to arise, SHA-384 
is provided for such applications, and it MAY be used for generating 
DS and CDS records in these cases. 


3.4. DS and CDS Algorithm Recommendation 


An operational recommendation for new and existing deployments: 
SHA-256 is the RECOMMENDED DS and CDS algorithm. 
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4. Security Considerations 


The security of cryptographic systems depends on both the strength of 
the cryptographic algorithms chosen and the strength of the keys used 
with those algorithms. The security also depends on the engineering 
of the protocol used by the system to ensure that there are no non- 
cryptographic ways to bypass the security of the overall system. 


This document concerns itself with the selection of cryptographic 
algorithms for use in DNSSEC, specifically with the selection of 
"mandatory-to-implement" algorithms. The algorithms identified in 
this document as MUST or RECOMMENDED to implement are not known to be 
broken (in the cryptographic sense) at the current time, and 
cryptographic research so far leads us to believe that they are 
likely to remain secure into the foreseeable future. However, this 
isn’t necessarily forever, and it is expected that new revisions of 
this document will be issued from time to time to reflect the current 
best practices in this area. 


Retiring an algorithm too soon would result in a zone (signed with a 
retired algorithm) being downgraded to the equivalent of an unsigned 
zone. Therefore, algorithm deprecation must be done very slowly and 
only after careful consideration and measurement of its use. 


5. Operational Considerations 
DNSKEY algorithm rollover in a live zone is a complex process. See 
[RFC6781] and [RFC7583] for guidelines on how to perform algorithm 
rollovers. 
DS algorithm rollover in a live zone is also a complex process. 


Upgrading an algorithm at the same time as rolling a new Key Signing 
Key (KSK) will lead to DNSSEC validation failures. Administrators 
MUST complete the process of the DS algorithm upgrade before starting 
a rollover process for a new KSK. 


6. IANA Considerations 


This document has no IANA actions. 
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